Search in sources :

Example 21 with DNSName

use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.

the class DaneVerifier method verifyCertificateChain.

/**
 * Verifies a certificate chain to be valid when used with the given connection details using DANE.
 *
 * @param chain A certificate chain that should be verified using DANE.
 * @param hostName The DNS name of the host this certificate chain belongs to.
 * @param port The port number that was used to reach the server providing the certificate chain in question.
 * @return Whether the DANE verification is the only requirement according to the TLSA record.
 * If this method returns {@code false}, additional PKIX validation is required.
 * @throws CertificateException if the certificate chain provided differs from the one enforced using DANE.
 */
public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException {
    DNSName req = DNSName.from("_" + port + "._tcp." + hostName);
    DNSMessage res;
    try {
        res = client.query(req, Record.TYPE.TLSA);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    if (!res.authenticData) {
        String msg = "Got TLSA response from DNS server, but was not signed properly.";
        if (res instanceof DNSSECMessage) {
            msg += " Reasons:";
            for (UnverifiedReason reason : ((DNSSECMessage) res).getUnverifiedReasons()) {
                msg += " " + reason;
            }
        }
        LOGGER.info(msg);
        return false;
    }
    List<DaneCertificateException.CertificateMismatch> certificateMismatchExceptions = new LinkedList<>();
    boolean verified = false;
    for (Record<? extends Data> record : res.answerSection) {
        if (record.type == Record.TYPE.TLSA && record.name.equals(req)) {
            TLSA tlsa = (TLSA) record.payloadData;
            try {
                verified |= checkCertificateMatches(chain[0], tlsa, hostName);
            } catch (DaneCertificateException.CertificateMismatch certificateMismatchException) {
                // Record the mismatch and only throw an exception if no
                // TLSA RR is able to verify the cert. This allows for TLSA
                // certificate rollover.
                certificateMismatchExceptions.add(certificateMismatchException);
            }
            if (verified)
                break;
        }
    }
    if (!verified && !certificateMismatchExceptions.isEmpty()) {
        throw new DaneCertificateException.MultipleCertificateMismatchExceptions(certificateMismatchExceptions);
    }
    return verified;
}
Also used : TLSA(org.minidns.record.TLSA) IOException(java.io.IOException) DNSName(org.minidns.dnsname.DNSName) LinkedList(java.util.LinkedList) UnverifiedReason(org.minidns.dnssec.UnverifiedReason) DNSSECMessage(org.minidns.dnssec.DNSSECMessage) DNSMessage(org.minidns.dnsmessage.DNSMessage)

Example 22 with DNSName

use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.

the class RRSIG method parse.

public static RRSIG parse(DataInputStream dis, byte[] data, int length) throws IOException {
    TYPE typeCovered = TYPE.getType(dis.readUnsignedShort());
    byte algorithm = dis.readByte();
    byte labels = dis.readByte();
    long originalTtl = dis.readInt() & 0xFFFFFFFFL;
    Date signatureExpiration = new Date((dis.readInt() & 0xFFFFFFFFL) * 1000);
    Date signatureInception = new Date((dis.readInt() & 0xFFFFFFFFL) * 1000);
    int keyTag = dis.readUnsignedShort();
    DNSName signerName = DNSName.parse(dis, data);
    int sigSize = length - signerName.size() - 18;
    byte[] signature = new byte[sigSize];
    if (dis.read(signature) != signature.length)
        throw new IOException();
    return new RRSIG(typeCovered, null, algorithm, labels, originalTtl, signatureExpiration, signatureInception, keyTag, signerName, signature);
}
Also used : IOException(java.io.IOException) DNSName(org.minidns.dnsname.DNSName) TYPE(org.minidns.record.Record.TYPE) Date(java.util.Date)

Example 23 with DNSName

use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.

the class Record method parse.

/**
 * Parse a given record based on the full message data and the current
 * stream position.
 *
 * @param dis The DataInputStream positioned at the first record byte.
 * @param data The full message data.
 * @return the record which was parsed.
 * @throws IOException In case of malformed replies.
 */
public static Record<Data> parse(DataInputStream dis, byte[] data) throws IOException {
    DNSName name = DNSName.parse(dis, data);
    int typeValue = dis.readUnsignedShort();
    TYPE type = TYPE.getType(typeValue);
    int clazzValue = dis.readUnsignedShort();
    CLASS clazz = CLASS.getClass(clazzValue & 0x7fff);
    boolean unicastQuery = (clazzValue & 0x8000) > 0;
    long ttl = (((long) dis.readUnsignedShort()) << 16) + dis.readUnsignedShort();
    int payloadLength = dis.readUnsignedShort();
    Data payloadData;
    switch(type) {
        case SOA:
            payloadData = SOA.parse(dis, data);
            break;
        case SRV:
            payloadData = SRV.parse(dis, data);
            break;
        case MX:
            payloadData = MX.parse(dis, data);
            break;
        case AAAA:
            payloadData = AAAA.parse(dis);
            break;
        case A:
            payloadData = A.parse(dis);
            break;
        case NS:
            payloadData = NS.parse(dis, data);
            break;
        case CNAME:
            payloadData = CNAME.parse(dis, data);
            break;
        case DNAME:
            payloadData = DNAME.parse(dis, data);
            break;
        case PTR:
            payloadData = PTR.parse(dis, data);
            break;
        case TXT:
            payloadData = TXT.parse(dis, payloadLength);
            break;
        case OPT:
            payloadData = OPT.parse(dis, payloadLength);
            break;
        case DNSKEY:
            payloadData = DNSKEY.parse(dis, payloadLength);
            break;
        case RRSIG:
            payloadData = RRSIG.parse(dis, data, payloadLength);
            break;
        case DS:
            payloadData = DS.parse(dis, payloadLength);
            break;
        case NSEC:
            payloadData = NSEC.parse(dis, data, payloadLength);
            break;
        case NSEC3:
            payloadData = NSEC3.parse(dis, payloadLength);
            break;
        case NSEC3PARAM:
            payloadData = NSEC3PARAM.parse(dis);
            break;
        case TLSA:
            payloadData = TLSA.parse(dis, payloadLength);
            break;
        case OPENPGPKEY:
            payloadData = OPENPGPKEY.parse(dis, payloadLength);
            break;
        case DLV:
            payloadData = DLV.parse(dis, payloadLength);
            break;
        case UNKNOWN:
        default:
            payloadData = UNKNOWN.parse(dis, payloadLength, type);
            break;
    }
    return new Record<>(name, type, clazz, clazzValue, ttl, payloadData, unicastQuery);
}
Also used : DNSName(org.minidns.dnsname.DNSName)

Example 24 with DNSName

use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.

the class SRV method parse.

public static SRV parse(DataInputStream dis, byte[] data) throws IOException {
    int priority = dis.readUnsignedShort();
    int weight = dis.readUnsignedShort();
    int port = dis.readUnsignedShort();
    DNSName name = DNSName.parse(dis, data);
    return new SRV(priority, weight, port, name);
}
Also used : DNSName(org.minidns.dnsname.DNSName)

Example 25 with DNSName

use of org.minidns.dnsname.DNSName in project minidns by MiniDNS.

the class ResolverApi method reverseLookup.

public ResolverResult<PTR> reverseLookup(Inet4Address inet4Address) throws IOException {
    DNSName reversedIpAddress = InetAddressUtil.reverseIpAddressOf(inet4Address);
    DNSName dnsName = DNSName.from(reversedIpAddress, DNSName.IN_ADDR_ARPA);
    return resolve(dnsName, PTR.class);
}
Also used : DNSName(org.minidns.dnsname.DNSName)

Aggregations

DNSName (org.minidns.dnsname.DNSName)22 Test (org.junit.Test)8 IOException (java.io.IOException)6 DnsName (org.minidns.dnsname.DnsName)5 InetAddress (java.net.InetAddress)4 ArrayList (java.util.ArrayList)4 Data (org.minidns.record.Data)4 Record (org.minidns.record.Record)4 LinkedList (java.util.LinkedList)3 DNSMessage (org.minidns.dnsmessage.DNSMessage)3 Question (org.minidns.dnsmessage.Question)3 TYPE (org.minidns.record.Record.TYPE)3 UInt16 (org.jivesoftware.smack.datatypes.UInt16)2 RemoteConnectionEndpointLookupFailure (org.jivesoftware.smack.util.rce.RemoteConnectionEndpointLookupFailure)2 InternetAddressRR (org.minidns.record.InternetAddressRR)2 SRV (org.minidns.record.SRV)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 DataOutputStream (java.io.DataOutputStream)1 Inet4Address (java.net.Inet4Address)1 Inet6Address (java.net.Inet6Address)1